The Federal Bureau of Investigation, the Cybersecurity and Infrastructure Security Agency and the Department of Health and Human Services revised its joint ALPHV Blackcat cybersecurity alert Tuesday to disseminate new indicators of compromise observed this month.

Also, Blackcat has allegedly claimed that it exfiltrated 6T bytes of Change Healthcare data and denied using the ConnectWise ScreenConnect vulnerability to gain access.


The battle continues between ALPHV Blackcat and U.S. cyber defenses as healthcare takes on the heaviest attacks in response to a U.S.-led law enforcement operation that hacked into and seized the Russia-based ALPHV, or Blackcat, ransomware’s darknet website and infrastructure in December.

The latest in the joint FBI, CISA and HHS advisory on the ransomware variant provides new updates to those last released released December 19 as well as to the FBI FLASH Blackcat/ALPHV Ransomware Indicators of Compromise released on April 19, 2022. 

“FBI, CISA, and HHS encourage critical infrastructure organizations to implement the recommendations in the mitigations section of this CSA to reduce the likelihood and impact of ALPHV Blackcat ransomware and data extortion incidents,” the agencies said.

Bleeping Computer reported Wednesday that in a statement published on the Blackcat dark web leak site, the cybercriminals alleged that they stole 6TB of data, including the U.S. military’s Tricare healthcare program, Medicare, CVS Caremark, MetLife, Health Net and others from the Change Healthcare network breach.

According to the article, Blackcat claimed to have medical, insurance and dental records along with payment and claims data and the personally identifiable information of patients and active U.S. military/navy personnel.


Groups including the American Hospital Association and Health Information Sharing and Analysis Center also advised the healthcare sector Tuesday that there will be more victims of the February 21 Change Healthcare cyberattack in the coming days.

Rick Pollack, AHA president and CEO said the Change cybersecurity attack is a “threat-to-life crime” in a call with hospital leaders on Friday.

While H-ISAC discussed network indicators impacting ScreenConnect Remote Access in its bulletin, Blackcat denied that affiliates who breached Change Healthcare’s network used an access bypass flaw that has since been patched, according to the story on Bleeping Computer. 

Meanwhile, CNN reported on the Change cyberattack’s disruption to providers where some said that they are struggling to employ workarounds for payments. Some patients and caregivers also told the outlet that they were unable to refill or access vital medications. 


“Since mid-December 2023, of the nearly 70 leaked victims, the healthcare sector has been the most commonly victimized,” the agencies said in the revised ALPHV Blackcat joint advisory. 

“This is likely in response to the ALPHV Blackcat administrator’s post encouraging its affiliates to target hospitals after operational action against the group and its infrastructure in early December 2023.”

Andrea Fox is senior editor of Healthcare IT News.

Healthcare IT News is a HIMSS Media publication.

Leave a Reply

Your email address will not be published. Required fields are marked *